With the widespread use of communication networks, diverse approaches are taken to launch a cyber attack on various services and infrastructures through the communication networks.
Security appliances such as an IDS (Intrusion Detection System), an IPS (Intrusion Prevention System) and a firewall (FW) have been known and provided to cope with a threat of such cyber attack and control communication at a gateway for communication data. The firewall and IDS/IPS take defensive measures against malicious communication by monitoring information entering an internal network from an external network as illustrated in FIG. 20, for example.
Moreover, in recent years, there has been known a rule-based analysis technique that collects logs of a network appliance and the security appliance and detects a state (behavior) of malicious communication by using an analysis rule, as illustrated in FIG. 20. According to such technique, for example, there is generated an analysis rule by which the malicious communication and behavior are detected by identifying and analyzing malicious network traffic. The generated analysis rule is then used to monitor the behavior of communication and detect malicious communication and the like.
A result detected by the technique using the analysis rule is influenced by parameters and thresholds used in the analysis rule. It is thus important to set proper parameters and thresholds to prevent false detection.